At most organizations, residual risk typically lurks in one or more of three areas. By bringing risk in these areas under control, you can go a long way toward making your organization more resilient.
Defining Residual Risk
Residual risk is the risk that is left in an organization after the risk-reducing effects of your mitigation controls are taken into account.
It’s one of the foundational concepts of business continuity management.
Unfortunately, it’s also an area that many senior executives and even BCM professionals misunderstand and neglect.
This is regrettable since residual risk is where the rubber meets the road in terms of doing things that will make your organization more secure.
Think of your organization’s residual risk as a fat, juicy target of opportunity. Residual risk is low-hanging fruit. By identifying your residual risk and reducing it, you get the most bang for your business continuity buck in terms of making your company more resilient.
Understanding Risk Tolerance
As I’ve discussed in previous blogs (see the links at the bottom), the goal for organizations is not to get their risk down to zero. It’s for management to identify how much risk it is willing to tolerate—and for the organization to get its risk down below that level. The gap between management’s risk tolerance and the actual risk is the residual risk. This is what you want to shrink.
Two other preliminary points:
First, management’s risk tolerance should not be chosen at random. It should be based on a rational analysis of the cost to the organization of having its operations offline. An organization that can undergo an outage of five days at no great cost is justified in having a high risk tolerance. An organization that would suffer a large impact as the result of an outage of two hours should be willing to accept very little risk. Where risk tolerance is high, controls can be relaxed. Where it is low, controls must be tight. (An organization’s risk tolerance also tends to reflect the personality of the senior managers; some like to gamble, others are risk averse.)
Second, even within a given organization, risk tolerance can and should vary across different parts of the operation depending on their criticality.
The Big Three Areas of Residual Risk
Most residual risk lives in three areas of a company’s operations. Call them the Big Three of residual risk. They are: recovery strategies, recovery exercises, and basic infrastructure.
Let’s look at them one by one.
A large proportion of the residual risk at most companies can be found lurking in their recovery strategies. The problem is not with the strategies. These tend to be sound in their approach. The problem is that many companies, after investing time and resources to devise good recovery strategies, don’t fully implement them.
An equivalent might be a hotel that figures out the most efficient fire escape route for every room—but doesn’t install signs to inform guests what they are. It’s good the hotel worked out the escape routes, but in the event of a fire, their effort won’t do any good since they didn’t complete the job by putting up the proper signage. It’s the same with organizations that devise recovery strategies but don’t fully implement them.
One of the best and easiest ways for organizations to bring their residual risk below management’s risk tolerance level is to fully implement their recovery strategies to meet the recovery requirements.
The situation with recovery exercises is similar to that with recovery strategies. Again, there are good intentions but inadequate follow through. Many organizations conduct recovery exercises, but too often these are insufficiently rigorous and realistic.
Tabletop exercises might be adequate for less critical functions. They are not adequate for processes that are time-sensitive and mission-critical. (See “Let’s Get Real: The Limitations of Tabletop Recovery Exercises.”) Critical processes need to be fully tested to ensure that they are recoverable within the needed time frame.
Often the organization’s testing program envisions such exercises, but they are never carried out and tested to fully stress test the ability to recover Setting up and fully implementing a solid testing program is another excellent way to reduce residual risk.
The third member of the Big Three is basic infrastructure. Many organizations have a great deal of residual risk hidden away in various parts of their infrastructure. The reason is their infrastructure is fragile and not well understood.
Often, critical portions of their infrastructure are left hanging by a thread. This is most commonly seen in three areas: electrical power, data backups, and network connectivity. Many organizations lack sufficient backup power supplies to keep even their most critical equipment and systems functioning in the event of a power outage. A lot of organizations do not make sure their data backups are functioning properly, which can lead to unexpected data loss. Many are totally dependent on unstable computer networks that lack redundancy, a situation that can easily result in operations coming to a halt.
These shortcomings all create pockets of residual risk. Strengthening these elements of basic infrastructure is an efficient way of reducing risk and improving resiliency.
Taking Big Strides
Residual risk is the risk that lurks in an organization after the beneficial effects of its risk-reducing controls is taken into account. The goal in managing risk is not to bring it down to zero but to bring it within management’s declared risk tolerance level.
At most organizations, residual risk can be found primarily in three areas—call them the Big Three of residual risk. They are recovery strategies, recovery exercises, and basic infrastructure. By identifying and squeezing out risk in these areas, BC professionals can take big strides toward increasing their organizations’ overall resilience.
For more information on these three areas of residual risk. residual risk in general, and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization
- Calculated Risk: The Two Kinds of Risk Assessment
- Rethinking Risk: A Better Way to Think About Risk in Business Continuity Management
- Risk Mitigation: 8 Controls That Can Reduce Risk
- Know Your Gaps: Manage Residual Risk to Keep Your Company Safe
- Let’s Get Real: The Limitations of Tabletop Recovery Exercises